The Moon router worm. Your anti-virus has probably been updated to detect it, but won't protect you

Late last week news emerged of a worm that was spreading between Linksys routers.

What's unusual about the worm, which has been dubbed "The Moon", is that it doesn't infect computers. In fact, it never gets as far as your computer.

And that means up-to-date anti-virus software running on your computer isn't going to stop it. The worm never reaches a device which has anti-virus protection running on it.

And it also means that the worm doesn't care whether your computer is running Windows, Mac OS X, or a flavour of Unix. It's irrelevant. Your LinkSys router could still be at risk.

Because the only things that The Moon worm is interested in infecting are Linksys routers - like the one you might use to connect computers in your home or office to the internet - that suffer from an authentication bypass vulnerability.

The self-replicating worm compromises your Linksys router, without needing to know your router's password, and then uses the device to scan for other vulnerable routers on the internet.

One consequence of this is that a lot of network traffic can be generated by the worm, slowing down internet access.

Linksys says it is working on a firmware fix for the vulnerability, and that it plans to post it "in the coming weeks".

It is, of course, a race against time as hackers might attempt to exploit the same vulnerability for more obviously malicious purposes. There is already evidence that script kiddies have created working exploits of the vulnerability.

Hmm... wouldn't it have been better if Linksys had also advised users to choose HTTPS access in that screenshot?

Whatever brand of router you use in your home or small office, you should consider disabling features which might expose you to risk.

For instance, turning off remote administration and limiting access to specific trusted IP addresses can reduce the potential attack surface, and make life much harder for online criminals who may attempt to infiltrate your network.

Furthermore, always be sure to not be using the default passwords which shipped with your router.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and gives presentations on the topic of computer security and online privacy.
Follow him on Twitter at @gcluley, Google Plus, Facebook, or drop him an email.

I'm shocked to read this. And hey – I would not be surprised to see a sudden, coordinated attack taking place at short notice, now that the word is out, only to bring a large portion of Western internet traffic to a grinding halt. This is even fancier / easier to the jerks out there, than a DDoS attack can ever be. Could it be state sponsored, I'm asking myself.

The reason HTTP is enabled by default is because most routers don't ship with a proper SSL Cert, so using HTTPS would mean relying on the local self-signed certificate, which is not something they want the average user to work on.

I know it's an old post, but nonetheless, HTTPS provides security against man-in-the-middle attacks.
If it's at the point where someone has access to the traffic between you on your local network and your router (which likely involves hardware access), someone trying to change your router's settings is the least of your problems.

As long as external access is disabled HTTPS will not give you much security, if any at all. Of course it's an entirely different story for remote-access, which should only be enabled through HTTPS, even a self-signed certificate is better than none there.

This thing got into my Linksys EA2700. Maybe coincidentally, but I attempted to download the "adobe" update and the problems ensued. Continued pop-ups, "unauthorized access" warning pages with actual phone numbers to call, mouse will not work on most links on webpages, windows defender got shut down and I can not get it back, I can not log on as the administrator unless in "safe mode". I finally read where this virus affected my Linksys router. So I deleted Cisco Connect from my PC and tried to re-install the router and update the firmware. My computer went into a "4th of July" mode with ALL (I had about 7 or 8 pages open) the pages flashing at the speed of light, trying to reload the browser. I finally got it to shut down and rebooted, but I am at a loss. My router is connected again but with very little signal strength. However, the "guest router" (which I didn't even know I had) has full signal. Anyone got any ideas. I'm thinking "new" router. Bobby